Thomas Lamprecht [Sun, 15 May 2022 06:47:03 +0000 (08:47 +0200)]
config defaults: macfilter defaults to on
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 4 Nov 2021 15:37:17 +0000 (16:37 +0100)]
bump version to 4.2-5
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 29 Oct 2021 16:13:20 +0000 (18:13 +0200)]
fix #3677: follow up: actually handle bucket size and ignore initval
The former is simply new and we can control it, so do so instead of
ignoring it, if it seems worth while we can also expose that as
option or do some fancier auto calculation, maybe depending on ipset
size.
The u32 `initval` is a bit different, its not a config in the exact
traditional sense but would allow to recreate an bit to bit
indentical save/restore - but we do not really do that and we cannot
pre-calculate that our self (or at least I'd rather like to avoid
doing that from perl).. So, ignore it actively for now to avoid
false-postivie detection in pending changes.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Mark Yardley [Mon, 18 Oct 2021 20:21:32 +0000 (21:21 +0100)]
fix #3677 ipset_get_chains fixed to work with new ipset output
Signed-off-by: Mark Yardley <mgit@fragmentedpackets.net>
Thomas Lamprecht [Tue, 12 Oct 2021 08:39:12 +0000 (10:39 +0200)]
bump version to 4.2-4
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 10 Sep 2021 11:00:11 +0000 (13:00 +0200)]
bump version to 4.2-3
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Lorenz Stechauner [Thu, 5 Aug 2021 10:59:03 +0000 (12:59 +0200)]
fix #2721: remove reject tcp 43 from default drop and reject actions
first, '43' is a typo, it should say '113' (if it really is like
legacy shorewall [0]). this tcp port corresponds to the ident or
authentication service protocol.
second, nowdays this reject is not included in shorewall anymore.
furthermore it would make no sense to reject specifically this
one port.
[0] https://gitlab.com/shorewall/code/-/blob/4.6.13/Shorewall/action.Drop#L66
https://gitlab.com/shorewall/code/-/blob/4.6.13/Shorewall/Macros/macro.Auth
Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
Thomas Lamprecht [Mon, 21 Jun 2021 09:31:47 +0000 (11:31 +0200)]
bump version to 4.2-2
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Stoiko Ivanov [Wed, 26 May 2021 14:51:59 +0000 (16:51 +0200)]
set sysctls on every apply
setting the sysctls needed on every run should not be too costly
(the original implementation used a `system` invocation, which was
far more expensive), and reduce the chances for side-effects.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Thomas Lamprecht [Mon, 24 May 2021 09:39:09 +0000 (11:39 +0200)]
buildsys: change upload/repo dist to bullseye
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Mon, 24 May 2021 09:15:50 +0000 (11:15 +0200)]
d/rules: cleanup systemd overrides
both, `override_dh_systemd_enable` and `override_dh_systemd_start`
are ignored with current compat level 12, and will become an error in
level >= 13, so drop them and use `override_dh_installsystemd` for
both of the previous uses.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Wed, 12 May 2021 18:23:15 +0000 (20:23 +0200)]
bump version to 4.2-1
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Wed, 12 May 2021 18:24:23 +0000 (20:24 +0200)]
debian: run wrap-and-sort -abt
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Wed, 12 May 2021 18:23:07 +0000 (20:23 +0200)]
install pvefw-logger.service in multi-user.target
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Wed, 12 May 2021 18:04:52 +0000 (20:04 +0200)]
d/control: bump debhelper compat to >= 12
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Wed, 12 May 2021 17:58:46 +0000 (19:58 +0200)]
fw logger: cosmetic fixes
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Aaron Lauterer [Thu, 22 Apr 2021 12:30:09 +0000 (14:30 +0200)]
fix #967: source: dest: limit length
iptables-restore has a buffer limit of 1024 for paramters [0].
If users end up adding a long list of IPs in the source or dest field
they might reach this limit. The result is that the rule will not be
applied and pve-firewall will show some error in the syslog which will
be "hidden" for most users.
Enforcing a smaller limit ourselves should help to avoid any such
situation. 512 characters should help to not run into any problems that
stem from differences in what counts as character. If people need longer
lists, using IP sets are the better approach anyway.
[0] http://git.netfilter.org/iptables/tree/iptables/xshared.c?h=v1.8.7#n469
Signed-off-by: Aaron Lauterer <a.lauterer@proxmox.com>
Mira Limbeck [Mon, 22 Feb 2021 12:00:18 +0000 (13:00 +0100)]
fix #2358: allow --<opt> in firewall rule config files
The docs mention --<opt> as valid syntax for firewall rules, but the
code that parses the .fw files only accepts -<opt>. To make it
consistent with the docs and the API, also accept --<opt>.
In addition allow 'proto' as option, not only '-p'.
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
Thomas Lamprecht [Fri, 18 Sep 2020 14:51:40 +0000 (16:51 +0200)]
bump version to 4.1-3
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 18 Sep 2020 14:39:08 +0000 (16:39 +0200)]
improve log burst property description
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 18 Sep 2020 14:37:06 +0000 (16:37 +0200)]
various typo fixes
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Mira Limbeck [Fri, 29 May 2020 12:22:04 +0000 (14:22 +0200)]
introduce new icmp-type parameter
Currently icmp types are handled via 'dport'. This is not documented
anywhere except for a single line of comment in the code. To untangle
the icmp-type handling from the dport handling a new 'icmp-type'
parameter is introduced.
The valid 'icmp-type' values are limited to the names
(icmp[v6]_type_names hash in the code, same as ip[6]tables provides).
Type[/Code] values are not supported.
Support for ipv6-icmp is added to icmp-type parameter handling. This makes it
possible to specify icmpv6 types via the GUI.
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
Stoiko Ivanov [Tue, 2 Jun 2020 08:06:17 +0000 (10:06 +0200)]
fix #2773: ebtables: keep policy of custom chains
currently all ebtalbes chains are created with a hardcoded policy of ACCEPT.
This patch changes the functionality to store the configured policy of a
chain while reading the 'ebtables-save' output and uses this policy when
creating the command list.
This is only relevant for ebtablers chains not generated by pve-firewall (the
ones having an action of 'ignore' in the status-hash).
Reported on the pve-user list:
https://pve.proxmox.com/pipermail/pve-user/2020-May/171731.html
Minimally tested with the example from the thread.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Thomas Lamprecht [Wed, 6 May 2020 15:41:46 +0000 (17:41 +0200)]
bump version to 4.1-2
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Wed, 6 May 2020 15:40:33 +0000 (17:40 +0200)]
Revert "rules: verify referenced security group exists"
This could never work, we do not have the groups parsed at this
point..
This reverts commit
312ae5161f80d7cd600d9a182eb0b70492489a05.
Thomas Lamprecht [Mon, 4 May 2020 13:02:01 +0000 (15:02 +0200)]
bump version to 4.1-1
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Mon, 4 May 2020 12:13:23 +0000 (14:13 +0200)]
add dport: factor out ICMP-type validity checking
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Mon, 4 May 2020 12:13:02 +0000 (14:13 +0200)]
icmp: allow to specify the echo-reply (0) type as integer
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Mon, 4 May 2020 12:12:13 +0000 (14:12 +0200)]
fix typo: s/ICPM/ICMP/
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Mon, 4 May 2020 12:10:53 +0000 (14:10 +0200)]
test/simulator: add very basic ICMP type functionallity
For now without integer to full-name, and vice versa, mapping of
ICMP types.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Mon, 4 May 2020 12:09:53 +0000 (14:09 +0200)]
fwtester: reduce extra empty lines a bit
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Mon, 4 May 2020 11:52:44 +0000 (13:52 +0200)]
test/README: whitespace fixes and slight rewording
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Mira Limbeck [Wed, 29 Apr 2020 13:45:24 +0000 (15:45 +0200)]
fix wrong icmpv6 types
This removes icmpv6-type 'any' as it is not supported by ip6tables. Also
introduced new icmpv6 types 'beyond-scope', 'failed-policy' and
'reject-route'. These values were taken from 'ip6tables -p icmpv6 -h'.
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
Mira Limbeck [Wed, 29 Apr 2020 13:45:23 +0000 (15:45 +0200)]
fix iptables-restore failing if icmp-type value > 255
This has to be done in both icmp and icmpv6 cases. Currently if
'ipv6-icmp' is set via the GUI ('icmpv6' is not available there) there
is no icmp-type handling. As this is meant to fix the iptables-restore
failure if an icmp-type > 255 is specified, no ipv6-icmp handling is
introduced.
These error messages are not logged as warnings are ignored. To get
these messages you have to run pve-firewall compile and look at the
output.
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
Thomas Lamprecht [Sat, 2 May 2020 16:57:04 +0000 (18:57 +0200)]
d/control: bump pve-cluster dependency for new lock methods
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Fabian Grünbichler [Wed, 29 Apr 2020 08:52:56 +0000 (10:52 +0200)]
rules: verify referenced security group exists
while this was already handled properly (as empty rules), adding this as
error makes it much more visible (in the GUI as well).
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Wed, 29 Apr 2020 08:52:55 +0000 (10:52 +0200)]
configs: warn about duplicate ipset entries
instead of silently dropping them when writing the config out.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Wed, 29 Apr 2020 08:52:54 +0000 (10:52 +0200)]
api/ipsets: parse_cidr before checking for duplicates
for example, the config parser drops a trailing /32 for IPv4, so we
should do the same here. otherwise we can have one entry for $IP and
one for $IP/32 with different properties until the next R-M-W cycle
drops one of them again.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Wed, 29 Apr 2020 08:52:53 +0000 (10:52 +0200)]
clone_vmfw_conf: lock new config
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Wed, 29 Apr 2020 08:52:52 +0000 (10:52 +0200)]
api: lock configs
wherever we have a r-m-w cycle.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Wed, 29 Apr 2020 08:52:50 +0000 (10:52 +0200)]
api: add locking helpers
for ipset, rules and alias API generation modules.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Wed, 29 Apr 2020 08:52:49 +0000 (10:52 +0200)]
configs: add locking helpers
to allow some level of safe concurrent config modification, instead of
the current free for all.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Mira Limbeck [Thu, 30 Apr 2020 10:26:41 +0000 (12:26 +0200)]
fix #2686: don't add arp-ip-src filter for dhcp
When the IPFilter setting is enabled and the container has DHCP
configured on an interface no 'arp-ip-src' filter should be added as we
don't have an IP address.
Previously '--arp-ip-src dhcp' was passed to ebtables which led to an error.
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
Christian Ebner [Tue, 28 Jan 2020 16:57:26 +0000 (17:57 +0100)]
logging: Add missing logmsg for inbound rules
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
Thomas Lamprecht [Mon, 27 Jan 2020 18:25:53 +0000 (19:25 +0100)]
bump version to 4.0-10
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Christian Ebner [Tue, 21 Jan 2020 09:24:30 +0000 (10:24 +0100)]
macros: add macro for Proxmox Mail Gateway web interface
Macro to allow access to the PMG web interface when hosted on PVE.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
Thomas Lamprecht [Thu, 9 Jan 2020 12:03:52 +0000 (13:03 +0100)]
fwtester: sort and group module usage
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 9 Jan 2020 11:55:13 +0000 (12:55 +0100)]
api node: always pass cluster conf to node FW parser
As else the parsing may lead to "false positive" errors, as cluster
wide aliases and other definitions are seemingly missing.
Reproducer:
* add *cluster* alias
* add+enable *host* rule using that alias
* enable FW on DC and node level
* go to Node -> FW -> Options
* check journal/syslog for error like:
> pveproxy[
1339680]: /etc/pve/nodes/dev6/host.fw (line 3) - errors in rule parameters: IN ACCEPT -source test123 -p tcp -sport 22 -log nolog
> pveproxy[
1339680]: source: no such alias 'test123'
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 13 Dec 2019 11:07:16 +0000 (12:07 +0100)]
grammar fix: s/does not exists/does not exist/g
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 3 Dec 2019 07:12:23 +0000 (08:12 +0100)]
bump version to 4.0-9
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Christian Ebner [Mon, 2 Dec 2019 15:55:57 +0000 (16:55 +0100)]
rules: allow connections on port range 60000:60050 in management network for migration
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
Wolfgang Bumiller [Mon, 18 Nov 2019 12:51:46 +0000 (13:51 +0100)]
bump version to 4.0-8
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Alexandre Derumier [Tue, 12 Nov 2019 12:59:04 +0000 (13:59 +0100)]
add synflood protection
Currently, a virtio-net + vhost-net can handle between 200-300 kpps for each vm (with 1core/queue=1).
That mean than a vm can easily overloaded with a simple synflood (hping3 --flood -p 80 -S targetip).
Also the conntrack of the host can be saturated easily.
This patch introduce a new option, enable rate limiting of syn/s by src ip (protection_synflood:1).
rate limit can be set with : protection_synflood_rate (default 200 syn/s)
with an extra burst: protection_synflood_rate (default 1000).
It's also possible to reduce conntrack syn timeout: nf_conntrack_tcp_timeout_syn_recv (default 60).
with default values, a src ip can take around (60 * 200 = 12000 conntrack entries).
The iptables rules are done in raw table, before reaching the conntrack.
This protection works fine for non-spoofed src ip.
For spoofed src ip, the only way could be to implement SYNPROXY,
but this only works for routed/nat setup. (The host need to be able to reply
with the src ip the vm)
Some good information about synflood protections
https://2014.rmll.info/slides/356/day_1-1400-Jesper_Brouer-DDoS_protection_using_Netfilter_iptables.pdf
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Alexandre Derumier [Tue, 12 Nov 2019 12:59:03 +0000 (13:59 +0100)]
iptables : add raw table support
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Fabian Grünbichler [Mon, 11 Nov 2019 10:28:43 +0000 (11:28 +0100)]
d/control: add (build-)depends on libpve-cluster-perl
since it contains PVE::Corosync now
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Thomas Lamprecht [Tue, 22 Oct 2019 09:14:44 +0000 (11:14 +0200)]
fw schemas: add defaults and improve some descriptions
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 22 Oct 2019 09:08:18 +0000 (11:08 +0200)]
increase default nf_conntrack_max to kernel default
for nf_conntrack_max the kernel uses by default the value:
(nf_conntrack_buckets value * 4) and nf_conntrack_buckets
is set to 2^16 for machines with more than 4GB memory, so the
resulting default would be 2^18 == 262144.
As PVE hoists are expected to have more than such a, nowadays rather
small, amount of memory, update the default to match the one which
would be normally used anyway.
[0]: https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Mira Limbeck [Mon, 26 Aug 2019 12:55:25 +0000 (14:55 +0200)]
fix use of uninitialized value
$param->{rename} was not checked for definedness even though it is
optional. This lead to a 'use of uninitialized value' when just updating
the cidr.
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
Fabian Grünbichler [Wed, 7 Aug 2019 08:55:20 +0000 (10:55 +0200)]
bump version to 4.0-7
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Mira Limbeck [Tue, 6 Aug 2019 08:25:14 +0000 (10:25 +0200)]
only add VM chains if VM firewall is enabled
Before if a NIC had the firewall enabled and the MAC filter was active,
a rule was added to the tap device even if the VM firewall was not
enabled. This led to nested machines not being able to reach outside.
Testcase: Host <-> VM <-> CT all on the same bridge. Host and CT could
not reach each other because of the MAC filter.
Now we check if the VM firewall is enabled and only add the MAC and
IP filters then.
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
Fabian Grünbichler [Wed, 7 Aug 2019 07:28:14 +0000 (09:28 +0200)]
fix indentation/whitspace
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Wed, 7 Aug 2019 07:25:36 +0000 (09:25 +0200)]
skip tap rule generation if vmfw is disabled
like for containers, and adapt code style to be identical.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Thomas Lamprecht [Tue, 23 Jul 2019 16:57:54 +0000 (18:57 +0200)]
bump version to 4.0-6
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Christian Ebner [Fri, 12 Jul 2019 11:31:34 +0000 (13:31 +0200)]
firewall macros: add new Ceph protocol v2 port while keeping v1 port
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
Thomas Lamprecht [Fri, 12 Jul 2019 11:02:35 +0000 (13:02 +0200)]
followup code cleanup
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 12 Jul 2019 09:47:57 +0000 (11:47 +0200)]
bump version to 4.0-5
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 12 Jul 2019 09:30:12 +0000 (11:30 +0200)]
remove base path of runcommand calls
this makes us compatible with both, usrmerged and non-usrmerged
systems, also it's the recommended way - we have a sane PATH in
run_command
Also transform to array calls, if we touch them anyway
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 11 Jul 2019 17:40:22 +0000 (19:40 +0200)]
bump version to 4.0-4
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Wed, 10 Jul 2019 11:33:07 +0000 (13:33 +0200)]
use /usr/sbin as base path
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Fabian Grünbichler [Wed, 10 Jul 2019 09:59:20 +0000 (11:59 +0200)]
ebtables: treat chain deletion as change
since it is one. otherwise, 'pve-firewall compile' will print false
information as long as the deletion has not been applied yet.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Wed, 10 Jul 2019 09:59:19 +0000 (11:59 +0200)]
ebtables: remove PVE chains properly
when globally disabling the FW, or on shutdown of firewall service.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Thomas Lamprecht [Thu, 4 Jul 2019 13:57:06 +0000 (15:57 +0200)]
bump version to 4.0-3
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Fabian Grünbichler [Wed, 3 Jul 2019 13:58:51 +0000 (15:58 +0200)]
localnet: skip local node for corosync information
since we neither do nor actually need to allow such traffic.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Wed, 3 Jul 2019 13:58:16 +0000 (15:58 +0200)]
localnet: simplify code
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Wed, 3 Jul 2019 13:57:43 +0000 (15:57 +0200)]
localnet: rename variables
to prevent confusion between local nodename and iterator entry
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Stefan Reiter [Wed, 3 Jul 2019 12:27:35 +0000 (14:27 +0200)]
Formatting fixes (trailing whitespace and indentation)
Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
Stefan Reiter [Wed, 3 Jul 2019 12:27:34 +0000 (14:27 +0200)]
Display corosync rule info on localnet call
If no corosync.conf exists (i.e. a standalone node), the output is left
the same.
Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
Stefan Reiter [Wed, 3 Jul 2019 12:27:33 +0000 (14:27 +0200)]
Check if corosync.conf exists before calling parser
Calling cfs_read_file with no corosync.conf (i.e. on a standalone node)
returns {} instead of undef. The previous patches assumes undef for this
scenario. To avoid confusing checks all over the place, simply leave the
config as undef if no file exists.
Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
Fabian Grünbichler [Tue, 2 Jul 2019 09:48:01 +0000 (11:48 +0200)]
add missing build-depends on libpve-access-control
needed for building the doc files / pve-firewall synopsis
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 2 Jul 2019 08:46:01 +0000 (10:46 +0200)]
add versioned (build-) dependency on pve-cluster
for newly introduced corosync helpers
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 2 Jul 2019 08:27:49 +0000 (10:27 +0200)]
corosync: refactor if conditions
to remove one level of indentation
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 2 Jul 2019 08:24:45 +0000 (10:24 +0200)]
corosync: fix multicast detection
for Corosync 3.x, multicast is only needed if the transport is explicitly set to 'udp'
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Stefan Reiter [Mon, 1 Jul 2019 15:22:17 +0000 (17:22 +0200)]
Only include multicast rules if transport is udp
Only applies to corosync 3.
Testing config is changed to allow simulation of multicast rules.
Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
Stefan Reiter [Mon, 1 Jul 2019 15:22:16 +0000 (17:22 +0200)]
Update and add tests for corosync firewall changes
Since corosync rules are now only created when a corosync.conf file is
present, a static corosync.conf has been added and will be loaded for
testing.
New test rules have been introduced to check corosync rules relating to
different rings/links.
Includes hostnames in config to trigger resolving codepaths.
Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
Stefan Reiter [Mon, 1 Jul 2019 15:22:15 +0000 (17:22 +0200)]
Create corosync firewall rules independently of localnet
"localnet" does not necessarily correspond to the correct network for
corosync (e.g. corosync rings/link can be run independently from other PVE
cluster service networks).
This change uses the previously introduced sub 'for_all_corosync_addresses'
to iterate through all nodes in a corosync cluster and generate rules for
all nodes and all their respective ringX_addr's it finds.
The rules are generated as strict as possible, there is a specific rule
for every remote node and every ring/link. Also, communication "between"
different links/rings is not allowed, e.g. a remote ring1_addr cannot
contact a local ring0_addr, and vice versa.
Multicast is always allowed, for backwards compatibility. Note however,
that we no longer filter on the source of inbound multicast packets,
since that would require localnet, and thus introduce the bug we're
trying to fix once again.
Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
Thomas Lamprecht [Mon, 24 Jun 2019 18:43:57 +0000 (20:43 +0200)]
bump version to 4.0-2
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Mon, 24 Jun 2019 18:36:09 +0000 (20:36 +0200)]
pve-firewall.service: update-alternative ip-/eb- tables to legacy versions
This is rather a bit of an hack but works for us for now.
we need to use the legacy versions for both due some bugs in the
nftables based versions, i.e., for iptables it's Debian bug #929527 [0]
and for ebtables it's Debian bug #929976 [1]. While the first gained
some response from the maintainer and a solution is in sight it's
currently blocked by Buster release freeze policy. The second one did
not get any response so far.
[0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929527
[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929976
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 28 May 2019 06:06:39 +0000 (08:06 +0200)]
fix CT rule generation with ipfilter set
commit
255698f65192e736708f123d380bbed2aa8c3eac tried to prevent an
error from happening but wasn't to well thought out, perl's operator
precedence was overlooked.
The commit resulted effectively in:
if (my $ip = ($net->{ip} && $vmfw_conf->{options}->{ipfilter})) ...
But intended was:
if (defined(my $ip = $net->{ip}) && $vmfw_conf->{options}->{ipfilter}) ...
First one makes $ip always boolean true (1 in perl) if the if branch
is hit, and the seconds really has then the $ip value in it..
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sat, 25 May 2019 16:27:46 +0000 (18:27 +0200)]
fix systemd warning about PIDFile directory
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 23 May 2019 16:19:56 +0000 (18:19 +0200)]
buildsys: switch upload dist over to buster
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 21 May 2019 20:30:27 +0000 (22:30 +0200)]
bump version to 4.0-1
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 21 May 2019 20:30:14 +0000 (22:30 +0200)]
bump debian compat level to 10
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 21 May 2019 20:28:39 +0000 (22:28 +0200)]
buildsys: use dpkg-dev makefile helpers for pkg info
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 21 May 2019 20:12:44 +0000 (22:12 +0200)]
d/control: fix build-depends-on-obsolete-package
build-depends: dh-systemd => use debhelper (>= 9.
20160709)
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 21 May 2019 20:11:48 +0000 (22:11 +0200)]
d/control: fix priority-extra-is-replaced-by-priority-optional
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Christian Ebner [Wed, 15 May 2019 15:09:13 +0000 (17:09 +0200)]
Remove redundant logging of packets passing the tap chain.
Incomming and outgoing packets passing the firewall bridge were unneccessarily
logged, leading to double entries.
The first log entry occurred when passing the bridge, the second when the packets
fate was decided (ACCEPT/DROP/REJECT).
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
Thomas Lamprecht [Wed, 8 May 2019 10:18:38 +0000 (10:18 +0000)]
bump version to 3.0-21
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 7 May 2019 09:52:58 +0000 (09:52 +0000)]
followup: do not replace original variable content
this could be confusing, if someone adds code which uses $net->{ip}
it may work for the case were ipfilter is off but not else (which may
not get tested), so keep the original $net intact and copy the scalar
value..
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 7 May 2019 09:40:57 +0000 (09:40 +0000)]
followup: code cleanup and comment
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Alexandre Derumier [Thu, 2 May 2019 05:04:16 +0000 (07:04 +0200)]
fix #2193: arpfilter: CT: remove mask from net ip cidr.
We need to send to ebtables an host address without prefix or with
/32 prefix.
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
projects / pve-firewall.git / log